This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Government Suggestions for Office 365 Admin & Security

As an Office 365 admin, the effort to harden enterprise security is key to remaining employed. Recently, United States Cybersecurity and Infrastructure Agency (CISA) combed through Microsoft's Office 365 documentation to pull out some best practices.

Not a week goes by that we do not hear about some company experiencing a data breach. These usually involve customer data containing a lot of personally identifiable information (PII) and they can be very costly for companies due to laws such as the General Data Protection Regulation (GDPR). For an Office 365 admin, making sure the organization's user accounts and settings across the entire tenant are optimized is a top priority.

There are a lot of resources available to an Office 365 admin to help with this process but recently the U.S. Cybersecurity and Infrastructure Agency (CISA) shared some potential configuration vulnerabilities for organizations to be aware of.

As explained by CISA, these configuration issues usually occur when a third party service provider helps an organization with their migration to Office 365 from other services.

“The organizations that used a third party have had a mix of configurations that lowered their overall security posture. In addition, the majority of these organizations did not have a dedicated IT security team to focus on their security in the cloud. These security oversights have led to user and mailbox compromises and vulnerabilities.”

CISA shared four examples of these potential configuration concerns that could happen after a third-party migration to Office 365 and result in a lower security profile for organizations:

Multi-factor authentication for administrator accounts not enabled by default

Mailbox auditing disabled

Password sync enabled

Authentication unsupported by legacy protocols

Of course, CISA’s recommendations mirror those issues listed above and each come with a direct link to the Microsoft Office 365 guidance and information in that area:

Ultimately, every Office 365 admin should be moving their organization users to a modern experience on both desktop and mobile devices. That means removing the use of dated functionality like POP3, IMAP, and SMTP should be a top priority as suggested by CISA.

At the Microsoft Docs website for Office 365, there is an Office 365 security roadmap that can further assist any Office 365 admin to maximize the mix of subscription-related security features for their users. In combination with a modern desktop such as Windows 10, you should be able to easily increase your security posture.